I understand the check is needed.
It is that we are not checking the right package but "java.lang"
Thanks,
Michal
Peter wrote:
Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance permission check is caller sensitive. In this case AbstractILFactory is the caller, so not checking it would allow an attacker to bypass the check using AbstractILFactory.
Cheers,
Peter.
Sent from my Samsung device.
Include original message
---- Original message ----
From: "Michał Kłeczek (XPro Sp. z o. o.)"<michalklec...@xpro.biz>
Sent: 06/02/2017 05:06:32 pm
To: dev@river.apache.org
Subject: AbstractILFactory bug?
I have just found this piece of code in AbstractILFactory:
Class[] interfaces = getProxyInterfaces(impl);
...
for (int i = 0; i< interfaces.length; i++) {
Util.checkPackageAccess(interfaces[i].getClass());
}
So we check "java.lang" package access.
A bug?
Thanks,
Michal
